W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CSP3: DOM API Strawman

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 14:59:35 +0100
Message-ID: <CAKXHy=cjkkg+oaJ_484X4Cc_z3n0phVjQSmAzXrH75Ac=R77fg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 2:54 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/3/14, 8:43 AM, Mike West wrote:
>> I think of it as a pure virtual interface which SecurityPolicySourceURL,
>> SecurityPolicySourceHash, and SecurityPolicySourceNonce implement. I
>> suppose this doesn't actually require marking it as NoInterfaceObject,
>> however.
> What's the point of such a pure virtual interface, exactly?  What are the
> use cases?

The policy `script-src https://example.com 'sha256-...' 'nonce-...'` has
three source expressions. It seems reasonable to treat them all as
"expressions" that support "match()" operations for the purposes of the
`sources` attribute. It would be good to be able to walk through the list
with a `forEach` in order to determine whether a specific Request or Node
matched an item in the list.

Exposing an array of "stuff" seems like a poor way to model this data set.

> It's very unlikely that you want this to be NoInterfaceObject.  You either
> don't want such an interface at all, or you want it to have a sane
> constructor object with a prototype object hanging off it and all that.

Agreed. Thanks for pointing this out.

> Those are arrays only because Bikeshed is rejecting
>> `sequence<SecurityPolicySource>`.
> Yeah, we need to finally fix https://www.w3.org/Bugs/
> Public/show_bug.cgi?id=23682 and update Bikeshed accordingly...

I am all for someone who knows what they're doing doing that. ;)

Received on Monday, 3 November 2014 14:00:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC